[ISN] Linux Advisory Watch: November 28th, 2008

From: InfoSec News <alerts_at_private>
Date: Mon, 1 Dec 2008 03:10:35 -0600 (CST)
+----------------------------------------------------------------------+
| LinuxSecurity.com                                  Weekly Newsletter |
| November 28th, 2008                              Volume 9, Number 48 |
|                                                                      |
| Editorial Team:              Dave Wreski <dwreski_at_private> |
|                       Benjamin D. Thomas <bthomas_at_private> |
+----------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week advisories were released for iceweasel, enscript, xulrunner,
hf, thunderbird, kernel, libcdaudio, tog-pegasus, vim, libxml2, gaim,
webkit, pigin, and hplip.  Distributors include Debian, Mandriva, Red
Hat, Slackware, and Ubuntu.

---

Earn your MS in Info Assurance online

Norwich University's Master of Science in Information Assurance (MSIA)
program, designated by the National Security Agency as providing
academically excellent education in Information Assurance, provides
you with the skills to manage and lead an organization-wide
information security program and the tools to fluently communicate
the intricacies of information security at an executive level.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=12

---

A Secure Nagios Server
----------------------
Nagios is a monitoring software designed to let you know about problems
on your hosts and networks quickly. You can configure it to be used on
any network. Setting up a Nagios server on any Linux distribution is a
very quick process however to make it a secure setup it takes some
work. This article will not show you how to install Nagios since there
are tons of them out there but it will show you in detail ways to
improve your Nagios security.

http://www.linuxsecurity.com/content/view/144088

---

Never Installed a Firewall on Ubuntu? Try Firestarter
-----------------------------------------------------
When I typed on Google "Do I really need a firewall?" 695,000 results
came across.  And I'm pretty sure they must be saying  "Hell yeah!".
In my opinion, no one would ever recommend anyone to sit naked on the
internet keeping in mind the insecurity internet carries these days,
unless you really know what you are doing.

Read on for more information on Firestarter.

http://www.linuxsecurity.com/content/view/142641

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!  <--
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf             <--

------------------------------------------------------------------------

* EnGarde Secure Community 3.0.21 Now Available (Oct 7)
  -----------------------------------------------------
  Guardian Digital is happy to announce the release of EnGarde Secure
  Community 3.0.21 (Version 3.0, Release 21). This release includes
  many updated packages and bug fixes and some feature enhancements to
  the EnGarde Secure Linux Installer and the SELinux policy.

  In distribution since 2001, EnGarde Secure Community was one of the
  very first security platforms developed entirely from open source,
  and has been engineered from the ground-up to provide users and
  organizations with complete, secure Web functionality, DNS, database,
  e-mail security and even e-commerce.

  http://www.linuxsecurity.com/content/view/143039

------------------------------------------------------------------------

* Debian: New iceweasel packages fix several vulnerabilities (Nov 24)
  -------------------------------------------------------------------
  Justin Schuh discovered that a buffer overflow in the
  http-index-format    parser could lead to arbitrary code execution.

  http://www.linuxsecurity.com/content/view/144736

* Debian: New enscript packages fix arbitrary code execution (Nov 24)
  -------------------------------------------------------------------
  Ulf Harnhammer discovered that a buffer overflow may lead to	  the
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/144735

* Debian: New xulrunner packages fix several vulnerabilities (Nov 23)
  -------------------------------------------------------------------
  Justin Schuh, Tom Cross and Peter Williams discovered a buffer
  overflow in the parser for UTF-8 URLs, which may lead to the
  execution of arbitrary code.

  http://www.linuxsecurity.com/content/view/144727

* Debian: New hf packages fix execution of arbitrary code (Nov 22)
  ----------------------------------------------------------------
  Steve Kemp discovered that hf, an amateur-radio protocol suite using
  a soundcard as a modem, insecurely tried to execute an external
  command which could lead to the elevation of privileges for local
  users.

  http://www.linuxsecurity.com/content/view/144523

------------------------------------------------------------------------

* Fedora 8 Update: thunderbird-2.0.0.18-1.fc8 (Nov 21)
  ----------------------------------------------------
  This update update upgrades thunderbird packages to upstream version
  2.0.0.18, which fixes multiple security issues detailed in upstream
  security advisories:

  http://www.linuxsecurity.com/content/view/144468

------------------------------------------------------------------------

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:234 ] kernel (Nov 21)
  -------------------------------------------------------------------------
  Some vulnerabilities were discovered and corrected in the Linux 2.6
  kernel: Buffer overflow in the hfsplus_find_cat function in
  fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows
  attackers to cause a denial of service (memory corruption or system
  crash) via an hfsplus filesystem image with an invalid catalog
  namelength field, related to the hfsplus_cat_build_key_uni function.
  (CVE-2008-4933)

  http://www.linuxsecurity.com/content/view/144521

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:235 ] mozilla-thunderbird (Nov 21)
  --------------------------------------------------------------------------------------
  A number of security vulnerabilities have been discovered and
  corrected in the latest Mozilla Thunderbird program, version 2.0.0.18
  (CVE-2008-5012, CVE-2008-5014, CVE-2008-5016, CVE-2008-5017,
  CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024,
  CVE-2008-5052). This update provides the latest Thunderbird to
  correct these issues.

  http://www.linuxsecurity.com/content/view/144519

* Mandriva: Subject: [Security Announce] [ MDVSA-2008:233 ] libcdaudio (Nov 20)
  -----------------------------------------------------------------------------
  A heap overflow was found in the CDDB retrieval code of libcdaudio,
  which could result in the execution of arbitrary code
  (CVE-2008-5030). In addition, the fixes for CVE-2005-0706 were not
  applied to newer libcdaudio packages as shipped with Mandriva Linux,
  so the patch to fix that issue has been applied to 2008.1 and 2009.0
  (this was originally fixed in MDKSA-2005:075).  This issue is a
  buffer overflow flaw found by Joseph VanAndel.  Corporate 3.0 has
  this fix already applied. The updated packages have been patched to
  prevent these issues.

  http://www.linuxsecurity.com/content/view/144457

------------------------------------------------------------------------

* RedHat: Critical: java-1.4.2-ibm security update (Nov 25)
  ---------------------------------------------------------
  Updated java-1.4.2-ibm packages that fix several security issues are
  now available for Red Hat Enterprise Linux 3 Extras, Red Hat
  Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5
  Supplementary. Multiple vulnerabilities with unsigned applets were
  reported. A remote attacker could misuse an unsigned applet to
  connect to localhost services running on the host running the applet.
  (CVE-2008-3104)

  http://www.linuxsecurity.com/content/view/144741

* RedHat: Important: tog-pegasus security update (Nov 25)
  -------------------------------------------------------
  Updated tog-pegasus packages that fix security issues are now
  available for Red Hat Enterprise Linux 5. Red Hat defines additional
  security enhancements for OpenGroup Pegasus WBEM services in addition
  to those defined by the upstream OpenGroup Pegasus release. For
  details regarding these enhancements, refer to the file
  "README.RedHat.Security", included in the Red Hat tog-pegasus
  package. This update has been rated as having important security
  impact by the Red Hat Security Response Team.

  http://www.linuxsecurity.com/content/view/144742

* RedHat: Moderate: vim security update (Nov 25)
  ----------------------------------------------
  Updated vim packages that fix security issues are now available for
  Red Hat Enterprise Linux 5.Several input sanitization flaws were
  found in Vim's keyword and tag handling. If Vim looked up a
  document's maliciously crafted tag or keyword, it was possible to
  execute arbitrary code as the user running Vim. (CVE-2008-4101)

  http://www.linuxsecurity.com/content/view/144738

* RedHat: Moderate: vim security update (Nov 25)
  ----------------------------------------------
  Several input sanitization flaws were found in Vim's keyword and tag
  handling. If Vim looked up a document's maliciously crafted tag or
  keyword, it was possible to execute arbitrary code as the user
  running Vim. (CVE-2008-4101)

  http://www.linuxsecurity.com/content/view/144739

* RedHat: Moderate: vim security update (Nov 25)
  ----------------------------------------------
  Updated vim packages that fix security issues are now available for
  Red Hat Enterprise Linux 2.1.Several input sanitization flaws were
  found in Vim's keyword and tag handling. If Vim looked up a
  document's maliciously crafted tag or keyword, it was possible to
  execute arbitrary code as the user running Vim. (CVE-2008-4101)

  http://www.linuxsecurity.com/content/view/144740

------------------------------------------------------------------------

* Slackware:   mozilla-thunderbird (Nov 21)
  -----------------------------------------
  New mozilla-thunderbird packages are available for Slackware 10.2,
  11.0, 12.0, 12.1, and -current to fix security issues. More details
  about the issues may be found on the Mozilla site:
  http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.h
  tml

  http://www.linuxsecurity.com/content/view/144520

* Slackware:   libxml2 (Nov 20)
  -----------------------------
  New libxml2 packages are available for Slackware 10.0, 10.1, 10.2,
  11.0, 12.0, 12.1, and -current to fix security issues including a
  denial or service or the possible execution of arbitrary code if
  untrusted XML is processed. More details about the issues may be
  found in the Common Vulnerabilities and Exposures (CVE) database:

  http://www.linuxsecurity.com/content/view/144454

------------------------------------------------------------------------

* Ubuntu:  Gaim vulnerability (Nov 24)
  ------------------------------------
  It was discovered that Gaim did not properly handle certain malformed
  messages in the MSN protocol handler. A remote attacker could send a
  specially crafted message and possibly execute arbitrary code with
  user privileges. (CVE-2008-2927)

  http://www.linuxsecurity.com/content/view/144729

* Ubuntu:  WebKit vulnerability (Nov 24)
  --------------------------------------
  It was discovered that WebKit did not properly handle Cascading Style
  Sheets (CSS) import statements. If a user were tricked into opening a
  malicious website, an attacker could cause a browser crash and
  possibly execute arbitrary code with user privileges.

  http://www.linuxsecurity.com/content/view/144730

* Ubuntu:  Pidgin vulnerabilities (Nov 24)
  ----------------------------------------
  It was discovered that Pidgin did not properly handle certain
  malformed messages in the MSN protocol handler. A remote attacker
  could send a specially crafted message and possibly execute arbitrary
  code with user privileges. (CVE-2008-2927)

  http://www.linuxsecurity.com/content/view/144731

* Ubuntu:  HPLIP vulnerabilities (Nov 24)
  ---------------------------------------
  USN-674-1 provided packages to fix vulnerabilities in HPLIP. Due to
  an internal archive problem, the updates for Ubuntu 7.10 would not
  install properly. This update provides fixed packages for Ubuntu
  7.10. We apologize for the inconvenience.  It was discovered that the
  hpssd tool of hplip did not validate	privileges in the alert-mailing
  function. A local attacker could  exploit this to gain privileges and
  send e-mail messages from the  account of the hplip user. This update
  alters hplip behaviour by  preventing users from setting alerts and
  by moving alert configuration  to a root-controlled
  /etc/hp/alerts.conf file. (CVE-2008-2940)

  http://www.linuxsecurity.com/content/view/144732

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request_at_private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Mon Dec 01 2008 - 01:10:35 PST

This archive was generated by hypermail 2.2.0 : Mon Dec 01 2008 - 01:27:22 PST